In brief

  • Hackers have moved funds stolen in a 2016 Bitfinex hack.
  • The hackers have moved funds before.
  • A blockchain forensics expert thinks that the hackers may move funds between KYC-less exchanges before shifting them to Huobi or Binance.

Hackers have once again moved Bitcoin funds stolen from crypto exchange Bitfinex back in 2016. 

According to Whale Alert, a Twitter bot that traces large cryptocurrency transactions, the hackers moved 473.3 Bitcoin, worth $5.7 million, into an unknown wallet. The funds were split into several wallets, but the majority of the funds, 467 Bitcoin ($5.6 million) now sits in one wallet.

In August 2016, hackers pilfered about 120,900 Bitcoin from Bitfinex. At today’s prices, that’s roughly $1.4 billion in stolen funds, though the stash was only worth $72 million at the time. The hack, whose origins are still relatively unclear, single handedly caused Bitcoin’s value to drop by about 20%, from approximately $600 to $400. 

Bitfinex then gave all of its customers a 36% “haircut” (reducing their balances) from which they would be credited with a “BFX” token, redeemable for shares in iFinex, Bitfinex’s parent company. 

But Bitcoin has since spiked in value—four years is a long time, after all. It’s possible that the hackers have sold off much of the stolen, though it’s also possible that they held onto it in case the price of Bitcoin increased and they could cash out at a higher profit.

Either way, this is hardly the first time hackers have moved these funds. In June, they moved about $4 million worth of Bitcoin to unknown wallets. A month earlier, it moved 28.3 Bitcoin (about $250,000); last August, it moved 300 Bitcoin (then $2.7 million), and last June, 185 Bitcoin (then worth $2 million). 

So what are the hackers going to do with the money?

“If I had to guess,” Rich Sanders, CEO of blockchain forensics firm CipherBlade, told Decrypt, “what they're going to try to do is split funds into a bunch of wallets (which would be easily clustered by a tool like Chainalysis Reactor) and try to send them to InstaSwap or [other] KYC-lite/less exchanges.” (KYC stands for “know your customer,” which refers to the requirements of businesses such as crypto exchanges to collect personally identifiable information from their customers.)

The process Sanders described is called “chain-hopping”—hackers move funds around these exchanges so quickly that it’s too resource-intensive for authorities to place subpoenas on their accounts. 

Chainopping on lower-quality exchanges makes sense, since most of these exchanges aren’t spending money on the types of services that crypto tracing firms such as CipherTrace and Chainalysis provide, said Sanders. “Let alone a compliance officer, or one that’s competent,” he said. “So their ‘out’ is ‘Well, how could we have known?’”

Eventually, these funds are cashed out on large exchanges. Indeed, for this hack, historically, “the two largest baskets for terminal destinations are Binance and Huobi,” he said. 

“The past precedent is there,” said Sanders.